Can National Security Advisor settle cybersecurity feud?

Two Congressional lawmakers want Susan Rice to get involved in a dispute between the State Department and industry officials over proposed export rules for technology that could be used for malicious purposes.

Congressional lawmakers are calling on President Obama's National Security Advisor Susan Rice to settle a debate pitting the private sectoragainst the State Department in a row over export controls on cybersecurity products and research.

Reps. Jim Langevin (D) of Rhode Island and Michael McCaul (R) of Texas plan on submitting a letter to Dr. Rice next week, asking her to intervene in the feud centering around how the US government classifies certain types of technology as "intrusion software."

The debate over export controls on cybersecurity products and research – meant to limit the sale of militarized spyware to repressive regimes – dates back to 2013 when the State Department took part in annual international negotiations to alter the 41-nation Wassenaar Arrangement, an international arms control pact.

Two years later, the vast majority of nations have implemented updated Wassenaar terms but divisions between information security professionals and software engineering academics and government agencies have stalled the changing from taking affect.

Now, Representatives Langevin and McCaul want Dr. Rice to significantly overhaul the government's draft rules that the two lawmakers – and many security professionals – view as overly restrictive and potentially harmful to international cybersecurity, by preventing research and the transport of critical network testing tools.

"Your involvement will help resolve the uncertainty facing businesses as they await resolution of what has already been an overlong process," the lawmakers say in the letter, which the two are circulating among their House colleagues in search of additional cosigners.

Officials from several government agencies including the Department of Homeland Security and Pentagon have suggested the most recent draft of the Wassenaar Agreement needs to be overhauled. Even the Department of Commerce – which is charged with writing the export controls – is taking the rare step of reopening a public comment period on the draft after it received overwhelmingly negative comments to the earlier proposal.

But Langevin as well as many industry experts complain that the State Department is blocking any substantial changes to how the US implements the Wassenaar deal.

"State has been telling Commerce that [protesting] is what industry does, and that they can wait it out.... But this is not a typical export control issue," he said. "The State Department will have to budge."

More than three-quarters of the Wassenaar Arrangement signatories have already implemented the 2013 changes, leaving the State Department in a precarious position if the US can't implement the core language that American negotiators helped determine.

Though many industry professionals involved with negotiations over the export controls say the State Department has been willing to compromise on certain aspects of the proposal, it appears only willing to list exemptions to the Wassenaar agreement but not change the core agreement.

A State Department officials told Passcode he was optimistic that a reasonable compromise could be found along those lines, and said "discussions with industry partners were still ongoing."

But even though many cybersecurity experts were critical of the government's initial plan to apply Wassenaar, most applaud the Department of Commerce's willingness to listen to industry professionals.

"The United States is really the first to listen to industry experts," said Dave Aitel of the security firm Immunity. "And most of the cybersecurity industry is located in the United States, so it was bound to be the place where the real pushback would begin."